Managing Risk with Procurement, Featuring Linda Tuck Chapman

With the increasing complexity of global supply chains, one thing is on the mind of every procurement organization: third party risk. What types of risk? How can we mitigate it? Many firms implement internal and external controls for risk, but few truly strategize third party risk management in their procurement operations.

“As a CPO, I always felt something was missing from our processes,” she said. “For example, once a contract was signed, we no longer had any visibility. The organization does all this hard work getting the best possible contract, with tight controls, and optimal service levels in place, and then you hand it over to the business. You didn’t see the [risks] and outcomes after that.”

Procurement was traditionally a cost reduction function. Today, Linda believes procurement has the opportunity to do more strategic work and add value to the organization. “Companies that embrace third party risk management as an exercise in regulatory or legal compliance miss the point,” she said. “Third party risk management, done well, drives better outcomes for the business and the company. With today’s threat landscape changing so quickly, procurement has an opportunity to become a vital part of the company’s risk management team.” Linda believes that the mantra for procurement success should be to 1) drive the best value for money, 2) protect the organization from harm, and 3) improve the customer experience.

“Risk management isn’t a separate or discrete activity from procurement processes,” Linda stated. “Third party risk management is a team sport. We must rely on specific expertise provided by risk domain leaders in order to understand certain risks, to ask the right questions, and implement the right controls.” For organizations that are just beginning to explore risk management, Linda suggests careful analysis and collaboration with the business and risk experts from other functions, such as information security or fraud.

Innovation offers new opportunities, but often carries new risks. “Spend more time on the things you don’t understand, and identify risk drivers and controls that positively impact the community your organization serves.”

“Procurement is a Risk Control Function”

Most financial institutions have implemented standard sourcing and procurement pro­cesses. In all but the smallest institutions, procurement is a discrete function. Until re­cently, the primary mandate for procurement has been cost reduction, which has been achieved by introducing professional procurement practices and consolidating the pop­ulation of approved vendors

Procurement processes have historically included due diligence; negotiating pric­ing, terms, and conditions; defining controls; and reporting. While not recognized as such, procurement has always been a risk control function, and is more so in the cur­rent environment. What’s different now is the scope of due diligence, and the amount of rigor and risk-adjusted processes. “Regular assessments and evaluations are the key to an effective risk management program. This is best done before problems emerge,” the OCC advises.15 Holding procurement responsible for specific aspects of third-party risk management, including managing activities and workflow; producing quality doc­umentary evidence; and designing actionable service level agreements will strengthen your program.

With the right leadership, sophisticated procurement organizations may have the competencies necessary to effectively integrate procurement and third-party risk man­agement. In this case, they own the TPRF—policy, processes, and execution

In virtually all financial institutions, responsibility for third-party risk oversight is the responsibility of operational risk management. Operational risk management should ensure that third-party risk management processes throughout their lifecycle are tightly integrated with other risk control groups and management practices in the first line of defense

In the past couple years, many institutions have transferred ownership of the third-party risk management framework, policies, standards, processes, and controls to operational risk. Procurement and other risk control functions retain responsibility for execution. This is usually for one of two reasons: 1) procurement failed to get it done, and 2) expansion of scope from just the vendor population to all third-party relationships moved it beyond the scope of procurement

Regardless of how the work gets done, the threat landscape, the speed of business, and regulatory requirements are bringing third-party and other operational risk management functions closer together than ever. Misalignment between risk control functions will frustrate the business, while creating gaps, overlaps, and missed opportunities.

For a stronger program, each risk control function should take the time to acquire a good working knowledge about the professional disciplines embedded in other risk control functions.”